The recently disclosed Follina zero-day flaw is being exploited by a Chinese APT group. The flaw allows attackers to run malicious code remotely on Windows systems.

The exploitation of the flaw

  • TA413 APT group is exploiting the Follina flaw (CVE-2022-30190) in attacks against the international Tibetan community by using the tibet-gov[.]web[.]app domain.
  • The attackers are making abusing the vulnerability to run malicious code using the MSDT protocol. This happens when targets open/preview malformed Word documents propagated in ZIP archives.
  • The recent campaigns impersonate the Women Empowerments Desk of the Central Tibetan Administration. 
Additionally, another security researcher has spotted DOCX documents with Chinese filenames being used to deliver malicious payloads detected as password-stealing trojans through http://coolrat[.]xyz.

Workarounds and Mitigation

Microsoft has provided workarounds and mitigation measures to block any attacks exploiting the Follina flaw:
  • Admins and users should disable the MSDT URL protocol.
  • After Microsoft releases a patch for CVE-2022-30190, a user can undo the workaround by launching an elevated command prompt and running the reg import ms-msdt[.]reg command.
  • Users are advised to disable the Preview pane in Windows Explorer to stay protected. 
Microsoft further informed that Defender Antivirus 1.367.719.0 or newer version comes with detections for potential vulnerability exploitation using this flaw.


Whenever a critical flaw is discovered, cybercriminals leave no stone unturned to exploit it and achieve their motives. Just a few days after being released, Follina is already being exploited by the TA413 APT group. Researchers expect that other attackers might join this race soon. Therefore, users are suggested to follow the mitigation steps provided by Microsoft.
Cyware Publisher